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DearStn 



Wc, the bdow-named inventors of flie abQve-capticmal application, declare as follows: 
As ^fvidcnocd by the enclosed relevant p^es from the IBM Invoation Disclosure £otm dated as bdngdeflted 
on September 1 4, 2000 and modified od December 7, 2000 (cover page of enclosod disclosure), ^ oooccived of the 
pi^sertt inveivtioii at least prior to Januaiy 1, 200L Specificafly, using the limitatiotts of Oaiin 4 as an example and 
refeniog to the endosed documeot, the inventors cofweived qf a method for identifying or disabling at least one traitor 
r««iverwith an assodatedudque, compromised dccr>T»tion key in abroad^ 

of disclosure, paraph, discussing broadcast to usot Aathavc their own keys, which may **ieak" if a devkc is a 
traitor); receiving a set of isubset* derived irom a tree defining kaves, each leaf represenftmg a respective leoeiva- 
(second content pa^, discussing "oomplele subtree" and "subtree di£fierenc(i" methods; bottom of third p^c 
continuing to top of fourth page, discussing partitioning subsets only if il contains a traitw andcontinuing (opaititk»i 



IQU-LIZAFT' 
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Serial Now: 09/771.239 



PATENT 



until a subset ooal ms only a sUigJe traitor, vMch Cfln then be revoked); identifying at Icaflt one tia JtK>r subset fiwD flig 
&c4 of subsets as cofltaanvig fU least one lettf represectinjj a traitor receiver, (sec aboveX using flw trailer subset, 
ktentifyinfe or disabling th© traitor rocdvcr (fourth page, fist bwllet)^ and determining whetliGr the traitor subset 
icpltsems at least lw> traitor receivers, and if so, dividine the tnutor subset into two child 9CIS» foarth page, second 
bullet Ako, the specific method may iBCkde encoding plural subsetsof the set of subsets v^th afalackey,battflDiof 
fdUip^gc continoing to sixth p^. Thodisdosurt: also teaches several additional feanues of one or moce dependent 
claims as shown in the vnrioos pagc9 enclosed herewith. 

We declare ftat the invcnlors aitd ass^nec were diligent in reducing the invention to practiee at least from a 
time prior to Januafy 1 , 200 1 at least to the present filing date. Specifically ^ we declare that the endosed invention 
disclosure prior to Januoy 1 , 200 1 to IBM Intdlectnol Property Department, »ihich ftm diligently proocfised the 
application for disclosure to outside counsel in. December 2000. A fust draft q)plicatioa vvas pEepaied for inventor 
review on January 3 , 200 1 » wbidi was thgn diHgcndy reviewed for filing on January 26, 2001 within the icual oomsc 
of IBM business in filing patent applicaticMU. 

We hereby dedflrt that aD statements made herein of oar own knowledge aie Inie and that all st^eoicfits made 
oninfonnationandbelief^ebf^ievcd to be tree; and further that Acse statements ^wreI^adc with the koowtodgethat 
willful false statansnts and the like so made are punishable by Gx»eor unprisonment, or both» under Section 1 00 1 of 
Title 18 of the United State Code and that sudi wiltfnl, false statements may jcppaidiM the validity of thcapplicatioo 
or any patent issued thereon. 



BY: Dalit Naor 



JefTLoUpieoh 



Simeon (Moni) Naor 
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Respectfully submitted. 



JohnL. Rogitz 
Rcgi^ation Mo. 33^49 
Attomey c€ Rieoord 
750 B Street, Suhc3l20 
San Diego, CA ^101 
Tdephone: (619) 33«-«075 
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Response Due to IP&L : 12/21/2000 
*Majn Idea 

1, Describe your invention^ stating the problem solved (if appropriate), and indicating the advantages of 
using the invention. 

This Invention deals with prevention of piracy In the context of digital content distribution. Consider an 
encryption scheme whereby a Center broadcasts a message to a group of users so that only a subset of 
the users should be able to obtain the content of the message. Such schemes are naturally used for 
distribution of copyright protected content (such as music and movies) or for subscription-based systems 
(e.g. pay TV and Web Casting). A common problem with such schemes is that keys of certain users may 
leak and further be used by pirate decoders, software clones and other illegal means, thereby violating 
ownership rights of the data. 

The invention provides a mechanism to combat the leakage of keys and their subsequent use by illegal 
decryptk>n-boxes. Suppose that a pirate decryption-box contains the keys associated with at most t users 
u known as the 'traitors". The goal of a tracing algorithm is to either 

1 . find the identities of those that contributed their keys to an iiricit decryption box , or 

2. render the box useless by finding a "pattern" that does not allow decryption using the box. but still 
allows broadcasting to the legitimate users. 

When combined with an encryption scheme that is capable of revoking illegal users from future 
communications it yields a trace^md-revoka mechanism, which is a powerful tool to combat piracy, A 
tracing algorithm Is evaluated based on (i) the number of illegal keys it is able to trace (ii) the level of 
performance downgrade it imposes on the encryption scheme (iii) the number of queries needed to trace 
the box. 

The suggested scheme is a black-box tracing, i.e. one that does not take the decoder apart but by 
providing it with an encrypted message and observing its output (the decrypted message) tries to figure 
out who leaked the keys. It assumes that messages are encrypted using a Subset-Cover encryption 
scheme which satisfies the bifurcation property. The precise nature of such encryption schemes is 
defined below; two prefen^ed embodiments for subset-cover revocation schemes having the bifurcatton 
property are the Complete-Subtree method and the Subset-Difference method which are the subjects of 
Discioe'"^-^ — 

Advantages of us ing this invention are: 
T in oraer to tfgce^le g al u sers, ifTequires a message that consists of t fog N keys where N is the total 
number of users fn the entire system. A further improvement requires a message length of only 5t 
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inventions. A Subset-Cover encryption scheme works as follows (as it covers all privileged users by 
smaller subsets). 

• Each user u is initially assigned some secret information denote by Lu (typically, these are sets of 
keys). 

• The scheme defines a collection of subsets of users S^, S^and their corresponding keys k K 

so lhat for any 1 ^ i £ w a user u can compute k from \_\J if and only if it belongs to the subset S . 

• Given M and P, The set P is partitioned into disjoint subsets S = SJ^ , S_l^ SJ so that every 

privileged user is in exactly one subset. M Is then encrypted with the keys corresponding to these 
subsets: 

„(K) E,JK),F(M)> 

This allows the users in P, and only them, to obtain M. 
Bifurcation property 

Our tracing mechanism requires that the Subset Cover algorithm satisfy the bifurcation property. The 
bifurcation property impJies that for any subset SJ it is jsossfble to partition SJ into two (or any constant) 
roughly equal sets and encrypt M using the two new sets instead of using SJ. I.e. there exist sets SJ 
andS 1 such that 

2 

1- S i = S i U S i 

2. the size of S j is roughly the same as of S i 

For a Subset Cover scheme, let the bifurcation value be the relative size of the largest subset in such a 
split. 

The two preferred embodiments for a Subset-Cover revocation scheme, the Complete Subtree and the 
Subtree Difference methods, satisfy the bifurcation property. In the case of the Complete Subtree Method . 
the bifurcation value Is 1/2 and for the Subtree Difference Method, the bifurcation value is 2/3. 

Moreover, the Subtree Difference Mett)od has an additional useful property: given any collection of r 
subsets S I , .... S i , the method can cover all users ttiat are not In S I , .... S 1 by at most 3r subsets. 

In the discussion that follows the encryption scheme is viewed as a "box" that is capable of encrypting M 
when provided with either a specific iDartition $ of all privileged users, or with the actual set P of privileged 
set of users. In the later, the partition that was used is also output. See diagram below. 
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P - previlleged users 5 = SJI , SJ2 SJm 




Tho Tracing Algorithm 



Let H be the total number of users in the system. Suppose that a pirate decryption-box contains the keys 
associated with at most t users u^, ... , u known as the 'traitors". The invention is a subsets-based 
tracing algorHhm. It devises a sequence of queries that are given to the decoder whose result is either 

• a subset of users consisting of the traitors, or 

• a partition of users into subsets that renders the box useless, i.e. given a message that is encrypted 
with the given partition, the box decrypts the message with probability smaller than the threshold q 
whiie all good users can still decrypt. 

Naturally, the tracing algorithm is based on constructing a useful sequence of partrtions which will finally 
allow the detection of a traitor's Identity. 

An important procedure in our tracing mechanism Is one that given a partition S = SJ , SJ SJ and 

an illegal box outputs one of two possible outputs: either 

1 , The box cannot decrypt when the encryption is done with partition S. or 

2. Finds a subset SJ such thiat SJ. contains a traitor. 
Such a procedure is called subset tracing. 



^=SJ1 .SJ2 SJm 

1 




not decrypting 



S Jj contains 
a traitor 

We explain our subset tracing procedure below. For now, let us assume that one exists, and we will now 
describe the general tracing algorithm, that uses the subset tracing procedure as a subroutine. The 
general algorithm maintains a partition S = SJ . S i , S i . At each phase one of the subsets is 

partitioned, and the goal Is to partition a subset only if it contains a traitor. The initial partitfon is S = {all 
users}. A phase proceeds as follows: 
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At the beginning of the phase run thd subset-tracing procedurd with partition S=:S r .8 i S i. 

1 2 m 

• If the procedure outputs that the box cannot decrypt with S then we are done, in the sense 

that we have found a way to disable the box without hurting any legitimate user. 
» Otherwise, 

Let SJ^ be the set output by the subset-tracing procedure, namely SJ^ contains the a traitor 

• If S_i^ contains only one possible candidate - it must be a traitor. Permanently revoke 
this user from the set of privileged users. 

• Otherwise, split S_i into two roughly equal subset and continue with the new 
partitioning. The existence of such a split is assured by the bifurcation property. 

The number of iterations of the above can be at most tlog A/, where a Is the inverse of the bifurcation 
value. 



S = {all users) 



partition ^ 




not decrypting 
^don© 



SJ] contains 
a traitor 



no 



split S_lj into Sijj and S2jj 

5 = SJ1 . . Sijj . S2jj SJm 



The Subset Tracing Procedure: 

The Subset Tracing procedure first tests whether the box decodes a message that is legally encoded with 
the partition S = S i . S i . SJ with sufficient probability, say p > 0.5. By "legally encoded" we mean a 

1 2 m 

normal message that would look exactly like normal operation. If the box does not decode, then it 
concludes (and outputs) that the box can not decrypt with S . OthenA^ise, it needs to find a subset SJ that 
contains a traitor. 

Such a subset is found as follows. Let p^ be the probability that the box decodes the ciphertext 
< E (R ). (R ) . (R ). (K). ... , E^ (K), F (M) > 

where R is a random string of the same length as the key K: Le.. it is a false key. That is. p is the 
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probability of decoding when the first j subsets have false keys and the remaining subsots encode the 
correct key If I p - P I > p/m then it must be that SJ contains a traitor. We note that at least one such j 

always exists. 

To efficientJy find a subset that contains a traitor, employ the binary-search-like method described hereby 
that efficiently finds a pair of values p and p ^ among p^. .... satisfying | p^^ - pj > p/m. Starting witti the 
entire interval [O.m]. the search is repeatedly nanrowed down to an arbitrary interval [a.b]. At each stage, 
the middle value p is computed and the interval is further halved either to the left half or to the right 
half, depending on*dTfference between p^ and the endpoint values p^and p^ of the interval. Observe that 
p is p and p is 0. Furthermore, in most practical cases, p is 1 ; in other words, the clone always decrypts 
during normal operation. The method Is outlined belovif; it outputs the index J. 

SubsetTraclng(a,b»p_a,p_b) 

If (a=b-1) 

return b 
Else 

Letc = ra+b/2l 

Connpute p 

If I p -p l"^ I (P -p)/2i 

SubsetTracing(a,c.p .p ) 

Else 

SubsetTraci ng(c,b, p^, p^) 

Efficiency: Subset tracing requires O(!og m) evaluations of p^. An evaluation of p^ must be within an 
accuracy that reveals a difference of the order of 1/m: namely, p^ needs to be estimated so the difference 
between its true value and its estimated value does not exceed 1/2m with assurance probability of 1-e. 
Also , the tme value of p can be as small as of the order of 1/m. It follows from Chemoff bounds that rrflog 
(1/6) ciphertext queries to the decoding box are sufficient to estimate such within the required accuracy. 
Hence, a subset tracing procedure that works with success probability of e log m requires rrf logm log (1/e 
) ciphertext queries over the entire procedure. 

Subset Tracing with Noisy Binary Search: It is possible to Improve the efficiency of the subset tracing 
procedure by viewing it as a nolsy-blnary search procedure. The noisy binary search assumes that at 
each step of the decision tree the correct decision is obtained with probability 1-Q, where Q is a value 
close to 1/2, for example Q=1/3. In a model where each answer is correct with some fixed probability (say 
greater thari 2/3) that is independent of history it is possible to perform binary search InlogN-^ log 1/Q 
queries where log N is the number levels in the search tree, Specrfically for our case, can we assume that 
the computation of p at each step may yield a faulty value with probability Q. this yields that the number of 
the queries required over the entire procedure can be reduced to nf (log m-^log 1/Q) . 

Improving The Tracing Algorithm 

Among the Hog N subsets generated by the basic tracing algorithm, only ^ actually contain a traitor. The 
Idea is to repeatedly merge those subsets which are not known to contain a traitor so as to reduce the 
number of subsets in the partition . For some encryption schemes it Is possible to efficiently perform this 
merging, thus reducing the leng th of the message required to trace f traitors. For example, the preferred 
embodimeiTusestheSub^^ and requires a message of 
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only dtto trace Hraitors (instead of fiogN). 

Specifically, we maintain at each iteration a frontier of at most 2t subsets and merge the rest of the 
subsets. In the following iteration a subset that contains a traitor is furiher partitioned; as a result, a new 
frontier is defined and the remaining subsets are re-grouped. 

Frontier subsets 

Let S = SJ^ , SJ^ SJ^ be the partition at the cun^nt iteration. A pair of subsets S_i^^ and SJ^ Is said 

to be In the frontier ff SJ and SJ resulted from a split-up of a single subset at an earlier iteration. Also 
neither SJ. nor SJ was singled out by the subset tracing procedure so far. This definition implies that 
the frontier is composed of at most t disjoint pairs of buddy subsets. 

The improved tracing algorithm proceeds in iterations. Every iteration starts with a partition S = SJ^ , SJ^, 
.... SJ . Denote by F G S the frontier of S, An iteration consists of the following steps, by the end of 
which a new partition S' and a new frontier F' is defined. 

• As before, use the Subset Tracing procedure to find a subset S_i^ that contains a b^itor. If the 
tracing procedure outputs that the box can not decrypt with S then we are done. Otherwise, spilt 
SJ into S^ and S^ . 

• Set F = F U S' U S^ (include and S* in the new frontier). Furthermore, if SJ^ was in the 
frontier F and S i was its buddy-subset In F then F' = F' \ S i (remove SJ from the new 
frontier). 

• Compute a cover C for all receivers that are not covered by F. Define the new partition S' as the 
union of C and F. 

An encryption method that can construct a small cover C for the non-frontier sets in the third step can talte 
advantage of this improvement. 

Tracing Traitors from Many Boxes 

As new illegal decoding boxes, decoding clones and hacked Iceys are continuously being introduced 
during the lifetime of the system, a revocation strategy needs to be adopted in response. This revocation 
strategy Is computed by first revolting the identities of all the receivers that need to be excluded, resulting 
in some partition S . 



^ To trace traitors from possibly more than one iiiegal decoder and make all of these boxes non-decoding, 

^ ' the tracing algorithm needs to be run In parallel on all boxes by providing all boxes with the same input. 

The initial input is the partition S that results from the set of all users that have not been revoked so far. 



As the algorithm proceeds, when the first box detects a traitor in one of the sets it re-partitions accordingly 
and the new partition is now input to all boxes simultaneously. The output of this simultaneous algorithm is 
a partition (or "revocation strategy") that renders all revoked receivers and illegal black boxes invalid. 



3. If the same advantage or problem has been identified by others (inside/outside IBM), how have those 
others solved it and does your solution differ and why is it better? 
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